b"           FEDERAL HOUSING FINANCE AGENCY\n             OFFICE OF INSPECTOR GENERAL\n\n\n\n      Clifton Gunderson LLP\xe2\x80\x99s Independent Audit of the\n              Federal Housing Finance Agency\xe2\x80\x99s\n         Privacy Program and Implementation - 2011\n\n\n\n\nAudit Report: AUD-2011-003              Dated: September 30, 2011\n\x0c                   Clifton Gunderson LLP\xe2\x80\x99s Independent Audit of the Federal Housing\n                      Finance Agency\xe2\x80\x99s Privacy Program and Implementation - 2011\nWhy FHFA-OIG Contracted for Audit                                          What Clifton Gunderson LLP Found (See Appendix A of this\n                                                                           Report)\nSection 522 of the Consolidated Appropriations Act of 2005\n(Section 522), as amended, requires that each agency designate a           While FHFA\xe2\x80\x99s privacy program had a number of strengths, such as a\nChief Privacy Officer and implement comprehensive privacy and              policy on the use and protection of PII, FHFA did not meet all of the key\ndata protection procedures governing the agency\xe2\x80\x99s collection, use,         requirements of Section 522 for developing and implementing\nsharing, disclosure, transfer, storage, and security of information in     comprehensive privacy and data protection procedures. Specifically, the\nan identifiable form relating to agency employees and the public.          audit identified that FHFA had not:\nAdditionally, Section 522 requires the Inspector General of each\nagency to periodically review the agency\xe2\x80\x99s implementation of the             \xe2\x80\xa2 Completed a required privacy program baseline report\nrequirements of Section 522 including the agency\xe2\x80\x99s privacy                     summarizing FHFA\xe2\x80\x99s use of PII and establishing the control\nprogram.                                                                       framework for privacy protection. The report was completed and\n                                                                               submitted to FHFA-OIG after the conclusion of the audit field\nA comprehensive privacy program helps to ensure that risks related             work in August 2011;\nto the collection, storage, transmission, and destruction of\npersonally identifiable information (PII)\xe2\x80\x94such as an individual\xe2\x80\x99s            \xe2\x80\xa2 Designed a job-specific privacy training program to ensure FHFA\nname, date of birth, and social security number\xe2\x80\x94are mitigated. A               employees and contractors are familiar with privacy protection\nstrong privacy program also provides a framework for the agency to             roles and responsibilities;\nconsider the implications of business decisions made as they pertain\n                                                                             \xe2\x80\xa2 Established a process for timely publication of required System of\nto PII. A privacy program should also help maintain public trust and\n                                                                               Record Notices that describe the existence and character of the\nconfidence in an organization, protect the reputation of an\n                                                                               system of records before operating systems containing PII;\norganization, and protect against legal liability for an organization by\nproviding the necessary safeguards to minimize the risk of                   \xe2\x80\xa2 Prepared Privacy Impact Assessments of all systems that contain PII\nunintended disclosure of PII.                                                  and documented assessments made of agency proposed rules to\nThe Federal Housing Finance Agency (FHFA or Agency) Office of                  help ensure protection of PII was adequately considered in the\nInspector General (FHFA-OIG) contracted with Clifton Gunderson                 systems development and rulemaking processes; and\nLLP (CG) to conduct a performance audit to fulfill its Section 522           \xe2\x80\xa2 Implemented a process for FHFA\xe2\x80\x99s Privacy Office to monitor\nresponsibilities for a periodic review of FHFA\xe2\x80\x99s privacy program and           information systems containing PII after they are placed in\nits implementation. The objective of this performance audit was to             production.\nassess FHFA\xe2\x80\x99s privacy program and its implementation, including\ncompliance with the statutory and regulatory requirements                  Addressing these control deficiencies in privacy and data protection\nconcerning the protection of PII. The specific sub-objectives were         procedures will strengthen FHFA's privacy program, further protect\nto determine whether FHFA implemented comprehensive privacy                individuals from the adverse impact of breaches, and contribute to\nand data protection procedures as required by Section 522 and              ongoing efforts to achieve reasonable assurance of adequate protection\naccurately reported on its use of information in an identifiable form      of PII.\n(also referred to as PII), along with its privacy and data protection      Several of the recommendations made in this report relate to privacy\npolicies and procedures.                                                   practices that have not been incorporated into the Agency\xe2\x80\x99s policies and\nWhat FHFA-OIG Recommends                                                   procedures. Absent formal policies and procedures, FHFA cannot\n                                                                           ensure consistent privacy program implementation across all Agency\nFHFA-OIG adopted CG\xe2\x80\x99s findings and nine recommendations to                 operations and protection of the confidentiality, integrity, and\nFHFA to assist in strengthening its privacy program.                       availability of privacy information consistent with statutory and\nIn response to FHFA-OIG\xe2\x80\x99s findings and recommendations, FHFA               regulatory requirements.\nprovided written comments, dated September 26, 2011. The\nAgency agreed with the recommendations. The complete text of\nthe written comments can be found in Appendix B of this report.\n\n\n\nAudit Report: AUD-2011-003                                                                                    Dated: September 30, 2011\n\x0cTABLE OF CONTENTS\nTABLE OF CONTENTS ..................................................................................................................... iii\n\nABBREVIATIONS ............................................................................................................................. iv\n\nPREFACE .......................................................................................................................................... v\n\nAPPENDIX A .................................................................................................................................... vi\n\n       Clifton Gunderson LLP\xe2\x80\x99s Final Audit Report Entitled, Independent Audit of the Federal Housing\n       Finance Agency\xe2\x80\x99s Privacy Program and Implementation - 2011\n\nAPPENDIX B ................................................................................................................................... vii\n\n       FHFA\xe2\x80\x99s Comments to FHFA-OIG\xe2\x80\x99s Draft Report\n\nAPPENDIX C .................................................................................................................................... xi\n\n       FHFA-OIG\xe2\x80\x99s Response to FHFA\xe2\x80\x99s Comments\n\nAPPENDIX D ................................................................................................................................... xii\n\n       Summary of Management\xe2\x80\x99s Comments on the Recommendations\n\nADDITIONAL INFORMATION AND COPIES ..................................................................................... xv\n\n\n\n\n         Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                                        iii\n\x0cABBREVIATIONS\nCG ........................................................................................................................ Clifton Gunderson\nCPO ................................................................................................................. Chief Privacy Officer\nCISO .......................................................................................... Chief Information Security Officer\nFannie Mae......................................................................... Federal National Mortgage Association\nFHFA ........................................................................................... Federal Housing Finance Agency\nFHFA-OIG ...................................... Federal Housing Finance Agency Office of Inspector General\nFHLBanks ...............................................................................................Federal Home Loan Banks\nFreddie Mac .................................................................. Federal Home Loan Mortgage Corporation\nFIPS................................................................................ Federal Information Processing Standards\nFISMA ...................................................... Federal Information Security Management Act of 2002\nGAGAS ......................................................... Generally Accepted Government Auditing Standards\nHERA.......................................................................Housing and Economic Recovery Act of 2008\nIT ................................................................................................................ Information Technology\nNIST ....................................................................... National Institute of Standards and Technology\nOMB .......................................................................................... Office of Management and Budget\nPII.............................................................................................. Personally Identifiable Information\nPIA ........................................................................................................ Privacy Impact Assessment\nPTA ....................................................................................................... Privacy Threshold Analysis\nSection 522...................................................................... Consolidated Appropriations Act of 2005\nSSN ............................................................................................................. Social Security Number\nSORN ....................................................................................................... System of Records Notice\n\n\n\n\n         Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                                     iv\n\x0c                                    Federal Housing Finance Agency\n\n                                       Office of Inspector General\n\n                                              Washington, DC\n\n\n\n\n                                             PREFACE\nFHFA-OIG was established by the Housing and Economic Reform Act of 2008 (HERA), 1 which\namended the Inspector General Act of 1978. 2 FHFA-OIG is authorized to conduct audits,\ninvestigations, and other activities of the programs and operations of FHFA; to recommend\npolicies that promote economy and efficiency in the administration of such programs and\noperations; and to prevent and detect fraud and abuse in them. This is one in a series of audits,\nevaluations, and special reports published as part of FHFA-OIG\xe2\x80\x99s oversight responsibilities to\npromote economy, effectiveness, and efficiency in the administration of FHFA\xe2\x80\x99s programs.\n\nThe objective of this performance audit was to assess FHFA\xe2\x80\x99s privacy program and its\nimplementation, including compliance with the statutory and regulatory requirements concerning\nthe protection of PII. FHFA-OIG contracted with CG to conduct this statutorily required audit.\nCG\xe2\x80\x99s audit report is included in Appendix A of this report.\n\nCG\xe2\x80\x99s audit report makes nine recommendations to FHFA to assist in strengthening its privacy\nprogram. FHFA-OIG adopts these recommendations and believes they will help the Agency\nachieve more economical, effective, and efficient operations. FHFA-OIG appreciates the\nassistance of all those who contributed to the audit.\n\nThis report has been distributed to Congress, OMB, and others and will be posted on FHFA-\nOIG\xe2\x80\x99s website, www.fhfaoig.gov/.\n\n\n\n\nRussell A. Rau\nDeputy Inspector General for Audits\n\n\n\n\n1\n    Public Law No. 110-289.\n2\n    Public Law No. 95-452.\n\n         Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                       v\n\x0cAPPENDIX A\nClifton Gunderson LLP\xe2\x80\x99s Independent Audit of the Federal Housing Finance Agency\xe2\x80\x99s Privacy\nProgram and Implementation \xe2\x80\x93 2011, pages 1 \xe2\x80\x93 34.\n\n\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                   vi\n\x0c                                                                  t\xc2\xa0\n\nA1\xc2\xa0\n                           Clifton Gunderson LLP\xe2\x80\x99s Independent\n\n                       Audit of the Federal Housing Finance Agency\xe2\x80\x99s\n\n                        Privacy Program and Implementation - 2011\n\n\n\n                                         Prepared for the\n                                 Federal Housing Finance Agency\n                                   Office of Inspector General\n\n                                      September 30, 2011\n\n\n\n\n4250\xc2\xa0N.\xc2\xa0Fairfax\xc2\xa0Drive\xc2\xa0       \xc2\xa0    \xc2\xa0     \xc2\xa0    \xc2\xa0    \xc2\xa0    \xc2\xa0     \xc2\xa0    \xc2\xa0     \xc2\xa0   \xc2\xa0   \xc2\xa0\nSuite\xc2\xa01020\xc2\xa0\nArlington,\xc2\xa0Virginia\xc2\xa022203\xc2\xa0\ntel:\xc2\xa0\xc2\xa0571\xc2\xad227\xc2\xad9500\xc2\xa0\nfax:\xc2\xa0571\xc2\xad227\xc2\xad9552\xc2\xa0\nwww.cliftoncpa.com\xc2\xa0\n\x0c                                                     Table of Contents\n\nExecutive Summary ................................................................................................................... 3\nBackground................................................................................................................................ 6\n   Section 522 of the Consolidated Appropriations Act, 2005 ..................................................... 6\n   The Privacy Act of 1974 ......................................................................................................... 7\n   E-Government Act of 2002 ..................................................................................................... 8\n   OMB Memorandum M-03-22 .................................................................................................. 8\n   OMB Memorandum M-07-16 .................................................................................................. 9\n   NIST Special Publication 800-122 .........................................................................................10\n   FHFA Privacy Office ..............................................................................................................10\n   FHFA Privacy Monitoring and Compliance ............................................................................10\n   FHFA Privacy Awareness and Training .................................................................................12\nResults of Audit.........................................................................................................................14\n   Overview ...............................................................................................................................14\n   1.\t FHFA Needed to File the Baseline Report with the FHFA-OIG in a Timely Manner ..........16\n   2.\t FHFA Needs to Strengthen the Privacy Training Program................................................17\n   3.\t FHFA Needs to Ensure System of Record Notices Are Published Prior to Systems Being\n\n       Placed in Operation..........................................................................................................20\n   4.\t FHFA Needs to Prepare Privacy Impact Assessments of All Systems that Contain PII and\n\n       Document Assessments Made of Agency Proposed Rules ..............................................22\n   5.\t FHFA Needs to Document, Disseminate, and Implement a Process to Monitor Information\n\n       Systems Containing PII After Being Placed in Production ................................................24\nAppendix I \xe2\x80\x93 Objective, Scope, and Methodology .....................................................................26\nAppendix II \xe2\x80\x93 Summary of Key Criteria Tested..........................................................................32\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nExecutive Summary\nSeptember 30, 2011\n\nHonorable Steve A. Linick\nInspector General\nFederal Housing Finance Agency\n1625 Eye Street, NW\nWashington, DC 20006\n\nDear Mr. Linick:\n\nSection 522 of the Consolidated Appropriations Act of 2005, (Division H, Transportation,\nTreasury, Independent Agencies, and General Government Appropriations Act, 2005)\n(Section 522), as amended requires that each agency designate a Chief Privacy Officer\n(CPO) and implement comprehensive privacy and data protection procedures governing\nthe agency\xe2\x80\x99s collection, use, sharing, disclosure, transfer, storage, and security of\ninformation in an identifiable form relating to agency employees and the public. Section\n522 also requires the Inspector General of each agency to periodically conduct a review\nof the agency\xe2\x80\x99s implementation of the requirements of Section 522 including the\nagency\xe2\x80\x99s privacy program. The Federal Housing Finance Agency (FHFA) Office of the\nInspector General (FHFA-OIG) contracted with Clifton Gunderson (CG) to conduct a\nperformance audit of FHFA\xe2\x80\x99s privacy program and its implementation. We are pleased\nto provide the Fiscal Year (FY) 2011 CG Independent Audit Report, detailing the results\nof our review of the FHFA\xe2\x80\x99s privacy program.\n\nThe objective of this performance audit was to assess FHFA\xe2\x80\x99s privacy program and its\nimplementation, including compliance with the statutory and regulatory requirements\nconcerning the protection of personally identifiable information (PII).1 The specific sub-\nobjectives were to determine whether FHFA implemented comprehensive privacy and\ndata protection procedures as required by Section 522 and accurately reported on its\nuse of information in an identifiable form, along with its privacy and data protection\npolicies and procedures. CG\xe2\x80\x99s audit included a review of FHFA\xe2\x80\x99s privacy related\npolicies and procedures, the structure and positioning of the Privacy Office\xe2\x80\x99s function\nwithin the agency, the monitoring and compliance efforts of the Privacy Office, and\nFHFA\xe2\x80\x99s network and website for privacy vulnerabilities. CG also reviewed the agency\xe2\x80\x99s\nprivacy related training program. These areas were assessed accordingly within the\ncontext of the requirements and recommendations of Section 522, Section 208 of the E-\nGovernment Act of 2002, the Privacy Act of 1974, OMB memoranda M-03-22 and M-07-\n\n\n\n\n1\n  The terms \xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d and \xe2\x80\x9cinformation in an identifiable form\xe2\x80\x9d are used\ninterchangeably in privacy-related policies to describe information such as an individual\xe2\x80\x99s name, date of\nbirth,\n117 and social security number. For purposes of this report, we use the term PII.\n\n\n\n                                                     3\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n16, and NIST Special Publication (SP) 800-122. Our audit was performed in\naccordance with Generally Accepted Government Auditing Standards (GAGAS).\n\nWhile FHFA\xe2\x80\x99s privacy program had a number of strengths, such as a policy on the use\nand protection of PII, FHFA did not meet all of the key requirements of Section 522 for\ndeveloping and implementing comprehensive privacy and data protection procedures.\nSpecifically, the audit identified that FHFA had not:\n\n    \xe2\x80\xa2\t Completed a required privacy program baseline report summarizing FHFA\xe2\x80\x99s use\n       of PII;2\n    \xe2\x80\xa2\t Designed the job-specific privacy training program to ensure FHFA employees\n       and contractors are familiar with privacy protection roles and responsibilities;\n    \xe2\x80\xa2\t Established a process for timely publication of required System of Record\n       Notices that describe the existence and character of the system of records before\n       operating systems containing PII;\n    \xe2\x80\xa2\t Prepared Privacy Impact Assessments of all systems that contain PII and\n       documented assessments made of agency proposed rules to help ensure\n       protection of PII was adequately considered in the systems development and\n       rulemaking processes; and\n    \xe2\x80\xa2\t Implemented a process for FHFA\xe2\x80\x99s Privacy Office to monitor information systems\n       containing PII after they are placed in production.\n\nFurther, several of the recommendations made in this report relate to privacy practices\nthat have not been incorporated into the agency\xe2\x80\x99s policies and procedures. Absent\nformal policies and procedures, FHFA cannot ensure consistent program\nimplementation. In addition, there may be potential civil and criminal ramifications\nassociated with noncompliance with laws if agency employees do not understand their\nresponsibilities under the various privacy laws. FHFA is vulnerable to an increased risk\nof a breach of sensitive data, which may result in personal harm, loss of public trust,\nlegal liability, or increased costs of responding to a breach. Addressing these control\ndeficiencies in privacy and data protection procedures will strengthen FHFA\xe2\x80\x99s privacy\nprogram and contribute to ongoing efforts to achieve reasonable assurance of adequate\nprotection of PII.\n\nCG does not consider the findings in this report to be a significant deficiency as defined\nunder the Federal Information Security Management Act of 2002 (FISMA).3 However,\nCG concluded that collectively, the deficiencies are significant in the context of the audit\nobjective as defined for performance audits under GAGAS.\n\nFHFA\xe2\x80\x99s privacy program had a number of strengths, including but not limited to the\nfollowing:\n\n\n2\n  On August 17, 2011, after completion of audit field work, FHFA provided the baseline report. FHFA-OIG\nwill evaluate this report as part of future audits.\n3\n  See page 30 in this report for the definition of significant deficiency under FISMA and deficiency in\ninternal control that is significant in the context of the audit objective according to GAGAS.\n\n\n                                                  4\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n   \xe2\x80\xa2\t The policy related to the use and protection of PII is documented and provides\n      clear direction and guidance on the use of PII;\n   \xe2\x80\xa2\t The Breach Notification Policy is documented and roles and responsibilities are\n      defined;\n   \xe2\x80\xa2\t The Privacy Office performs periodic walk-throughs of agency offices and work\n      areas to monitor the physical protection of PII;\n   \xe2\x80\xa2\t The Privacy Office provides initial new hire and annual refresher privacy\n      awareness training to all employees and contractors; and\n   \xe2\x80\xa2\t The Privacy Office oversees the performance of a Privacy Threshold Analysis\n      (PTA) for all new information systems.\n\nThis report makes nine recommendations to assist FHFA in strengthening its privacy\nprogram.\n\nThis performance audit did not constitute an audit of financial statements in accordance\nwith GAGAS. CG was not engaged to, and did not, render an opinion on the FHFA\xe2\x80\x99s\ninternal controls over financial reporting or financial management systems.\nFurthermore, the projection of any conclusions, based on our findings, to future periods\nis subject to the risk that controls may become inadequate because of changes in\nconditions, or because compliance with controls may deteriorate.\n\n\nSincerely,\n\n\na1\xc2\xa0\nClifton Gunderson LLP\n\n\n\n\n                                                 5\n\x0cCG\xe2\x80\x99s\xc2\xa0Independent\xc2\xa0Audit\xc2\xa0of\xc2\xa0FHFA\xe2\x80\x99s\xc2\xa0Privacy\xc2\xa0Program\xc2\xa0and\xc2\xa0Implementation\xc2\xa0\xe2\x80\x90 2011\xc2\xa0\n\n\nBackground\nOn July 30, 2008, FHFA was established by the Housing and Economic and Recovery\nAct of 2008 (HERA), Public Law No. 110-289. Specifically, HERA abolished two existing\nFederal agencies, the Office of Federal Housing Enterprise Oversight and the Federal\nHousing Finance Board, and in their place created FHFA to regulate the Federal\nNational Mortgage Association (Fannie Mae), the Federal Home Loan Mortgage\nCorporation (Freddie Mac), the 12 Federal Home Loan Banks (FHLBanks), and the\nOffice of Finance. FHFA is an independent Federal agency, with a Director appointed\nby the President and confirmed by the U.S. Senate. Its mission is to provide effective\nsupervision, regulation, and housing mission oversight of Fannie Mae, Freddie Mac,\nand the FHLBanks. FHFA is a non-appropriated, non-apportioned agency that draws its\nfinancial resources from assessments on Fannie Mae, Freddie Mac, and the 12\nFHLBanks. The Agency has a $201 million budget for fiscal year 2011 and a staff of\n598.4\n\t\nSection\t522\tof\tthe\tConsolidated\tAppropriations\tAct,\t2005\t\n\xc2\xa0\nPublic Law No. 108-447, Division H, Section 522 of the Transportation, Treasury,\nIndependent Agencies, and General Government Appropriations Act of 2005\n(commonly referred to as the Consolidated Appropriations Act of 2005) (Section 522),\nas amended, 5 states that each agency shall have a Chief Privacy Officer (CPO) to\nassume primary responsibility for privacy and data protection policy. According to\nSection 522, each agency shall prepare a written report of its use of information in an\nidentifiable form,6 along with its privacy and data protection policies and procedures and\nrecord it with the Inspector General of the agency to serve as a benchmark for the\nagency. Examples of information in identifiable form, also referred to as personally\nidentifiable information (PII) include name, address, social security number (SSN) or\nother identifying number or code, telephone number, email address, etc. Each report\nshall be signed by the agency privacy officer to verify that the agency intends to comply\nwith the procedures in the report.\n\nIn addition, Section 522 requires the Inspector General of each agency to periodically\nconduct a review of the agency\xe2\x80\x99s implementation of the requirements of the section.\nThe Inspector General may contract with an independent third party to conduct the\nreview, to:\n\n\xef\x82\xb7 Evaluate the agency\xe2\x80\x99s use of information in identifiable form;\n\xef\x82\xb7 Evaluate the privacy and data protection procedures of the agency; and\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n4\n  The Appendix, Other Independent Agencies, Budget of the United States Government, Fiscal Year\n2012, http://www.whitehouse.gov/sites/default/files/omb/budget/fy2012/assets/oia.pdf, pp. 1239-1241.\n5\n  Section 522 as amended by Section 742 of the Consolidated Appropriations Act, 2008 (Public Law No.\n110-161).\n6\n  The definition of \xe2\x80\x9cidentifiable form\xe2\x80\x9d is consistent with the E-Government Act of 2002 (Public Law No.\n101-347), and means any representation of information that permits the identity of an individual to whom\nthe information applies to be reasonably inferred by either direct of indirect means.\n\n                                                                                                           6\xc2\xa0\n\xc2\xa0                                                              \xc2\xa0\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n\xe2\x80\xa2\t Recommend strategies and specific steps to improve privacy and data protection\n   management.\nPer the requirements above, the independent third party review must also include:\n\n\xe2\x80\xa2\t A review of the agency\xe2\x80\x99s technology, practices, and procedures with regard to the\n   collection, use, sharing, disclosure, transfer, and storage of information in identifiable\n   form;\n\xe2\x80\xa2\t A review of the agency\xe2\x80\x99s stated privacy and data protection procedures with regard\n   to the collection, use, sharing, disclosure, transfer, and security of personal\n   information in identifiable form relating to agency employees and the public;\n\xe2\x80\xa2\t A detailed analysis of agency intranet, network, and websites for privacy\n   vulnerabilities, including:\n   o\t Noncompliance with stated practices, procedures, and policies; and\n   o\t Risks for inadvertent release of information in an identifiable form from the\n       website of the agency; and\n\xe2\x80\xa2\t A review of agency compliance with Section 522.\n\nThe Privacy Act of 1974\n\nThe Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a, as amended, requires agencies to collect only\nsuch information about an individual as is relevant and necessary to accomplish a purpose of\nthe agency required to be accomplished by statute or executive order of the President.\nAgencies are required to protect this information from any anticipated threats or hazards to\ntheir security or integrity which could result in substantial harm, embarrassment,\ninconvenience, or unfairness to any individual on whom the information is maintained, and\nmust not disclose this information except under certain circumstances.\n\nThe information collected is considered a record under the Privacy Act if it is an item,\ncollection, or grouping of information about an individual that is maintained by an agency,\nincluding, but not limited to, his education, financial transactions, medical history, and criminal\nor employment history and that contains his name or the identifying number, symbol, or other\nidentifying particular assigned to the individual, such as a finger or voice print or a\nphotograph.\n\nWhen an agency has a group of any records under its control from which information is\nretrieved by the name of the individual or by some identifying number, symbol, or other\nidentifying particular assigned to the individual, the agency has a system of records. The\nPrivacy Act requires that a public notice, commonly referred to as a System of Records\nNotice (SORN), be published in the Federal Register that describes the existence and\ncharacter of the system of records. In addition, the Privacy Act requires SORNs to include:\n\n   \xe2\x80\xa2\t   The name and location of the system;\n   \xe2\x80\xa2\t   The categories of individuals on whom records are maintained in the system;\n   \xe2\x80\xa2\t   The categories of records maintained in the system;\n   \xe2\x80\xa2\t   Each routine use of the records contained in the system, including the categories of\n        users and the purpose of such use;\n\n\n                                                 7\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n   \xe2\x80\xa2\t The policies and practices of the agency regarding storage, retrievability, access\n      controls, retention, and disposal of the records;\n   \xe2\x80\xa2\t The title and business address of the agency official who is responsible for the system\n      of records;\n   \xe2\x80\xa2\t The agency procedures whereby an individual can be notified at his request if the\n      system of records contains a record pertaining to him;\n   \xe2\x80\xa2\t The agency procedures whereby an individual can be notified at his request how he\n      can gain access to any record pertaining to him contained in the system of records,\n      and how he can contest its content; and\n   \xe2\x80\xa2\t The categories of sources of records in the system.\n\nE-Government Act of 2002\n\nSection 208 of the E-Government Act of 2002 (Public Law No. 107-347) requires agencies to\n(1) conduct Privacy Impact Assessments (PIA) of information technology and collections and,\nin general, make PIAs publicly available; (2) post privacy policies on agency Web sites used\nby the public; and (3) translate privacy policies into a machine-readable format.\n\nOMB Memorandum M-03-22\n\nOMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions\nof the E-Government Act of 2002, addresses privacy protections when members of the\npublic interact with the Federal government and directs agencies to conduct reviews of\nhow information about individuals is handled within their agency when they use\ninformation technology to collect new information, or when agencies develop or buy new\ninformation technology (IT) systems to handle collections of PII. OMB Memorandum M-\n03-22 defines a PIA as an analysis of how information is handled: (1) to ensure handling\nconforms to applicable legal, regulatory, and policy requirements regarding privacy, (2)\nto determine the risks and effects of collecting, maintaining and disseminating\ninformation in identifiable form in an electronic information system, and (3) to examine\nand evaluate protections and alternative processes for handling information to mitigate\npotential privacy risks. PIAs must analyze and describe the following:\n\n   \xe2\x80\xa2\t What information is to be collected (e.g., nature and source);\n   \xe2\x80\xa2\t Why the information is being collected (e.g., to determine eligibility);\n   \xe2\x80\xa2\t Intended use of the information (e.g., to verify existing data);\n   \xe2\x80\xa2\t With whom the information will be shared (e.g., another agency for a specified\n      programmatic purpose);\n   \xe2\x80\xa2\t What opportunities individuals have to decline to provide information (i.e., where\n      providing information is voluntary) or to consent to particular uses of the\n      information (other than required or authorized uses), and how individuals can\n      grant consent;\n   \xe2\x80\xa2\t How the information will be secured (e.g., administrative and technological\n      controls); and\n   \xe2\x80\xa2\t Whether a system of records is being created under the Privacy Act, 5 U.S.C.\n      552a.\n\n\n                                                 8\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n\nPIAs must identify what choices the agency made regarding an IT system or collection\nof information as a result of performing the PIA. PIAs must also be approved by a\n\xe2\x80\x9creviewing official\xe2\x80\x9d and be made publicly available to the extent that they do not contain\nclassified or sensitive information or raise security concerns.\n\nIn addition to conducting PIAs, OMB Memorandum M-03-22 also requires agencies to\npost privacy policies on agency websites used by the public, translate privacy policies\ninto a standardized machine-readable format, and report annually to OMB on\ncompliance with Section 208 of the E-Government Act of 2002.\n\nOMB Memorandum M-07-16\n\nOMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information (OMB-M-07-16), requires agencies to develop and\nimplement a breach notification policy and provides the framework within which\nagencies must develop this notification policy while ensuring proper safeguards are in\nplace to protect the information. This memorandum also requires agencies to\nperiodically review their holdings of PII and ensure that they are accurate, relevant,\ntimely, and complete, and reduce them to the minimum necessary for the proper\nperformance of agency functions. OMB Memorandum M-07-16 also requires the\nagency to review the use of SSN and establish a plan to eliminate their unnecessary\ncollection and use. There are also five security requirements within OMB Memorandum\nM-07-16:\n\n    \xe2\x80\xa2\t Encryption. Encrypt, using only National Institute of Standards and Technology\n       (NIST)7 certified cryptographic modules, all data on mobile computers/devices\n       carrying agency data unless the data is determined not to be sensitive, in writing,\n       by your Deputy Secretary or a senior-level individual he/she may designate in\n       writing;\n    \xe2\x80\xa2\t Control Remote Access. Allow remote access only with two-factor authentication\n       where one of the factors is provided by a device separate from the computer\n       gaining access;\n    \xe2\x80\xa2\t Time-Out Function. Use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and mobile\n       devices requiring user re-authentication after thirty minutes of inactivity;\n    \xe2\x80\xa2\t Log and Verify. Log all computer-readable data extracts from databases holding\n       sensitive information and verify each extract, including whether sensitive data\n       has been erased within 90 days or its use is still required; and\n    \xe2\x80\xa2\t Ensure Understanding of Responsibilities. Ensure all individuals with authorized\n       access to personally identifiable information and their supervisors sign at least\n       annually a document clearly describing their responsibilities.\n\n\n\n7\n NIST, an agency within the Department of Commerce, is responsible for developing standards and\nguidelines, including minimum requirements, for providing adequate information security for all agency\noperations and assets.\n\n\n                                                    9\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n\nNIST Special Publication 800-122\n\nNIST Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of\nPersonally Identifiable Information (PII), provides guidelines for implementing a risk-\nbased approach to protecting PII in the context of information security. It recommends\na process that involves identifying the PII that an agency holds, classifying the PII by\nconfidentiality impact level, and providing safeguards based on the confidentiality\nimpact level. It also provides recommendations for developing an incident response\nplan.\n\nFHFA Privacy Office\n\nThe Privacy Office at FHFA is made up of two employees, the Privacy Officer and the\nChief Privacy Officer (CPO) who has also been designated as the Senior Agency\nOfficial for Privacy and is responsible for ensuring compliance with federal laws,\nregulations, and policies related to information privacy. The Privacy Office has a policy\nin place for the protection of PII, Use and Protection of Personally Identifiable\nInformation, as well as a policy for breach notification in the event of a privacy related\nincident, Breach Notification Policy and Plan. The agency has also compiled the\nPrivacy Threshold Analysis and Privacy Impact Assessment Guide for use when\nperforming Privacy Threshold Analyses (PTA) and PIAs described below.\n\nFHFA Privacy Monitoring and Compliance\n\nIn addition to requiring a PTA for each new system as it moves through the system\ndevelopment life cycle, FHFA\xe2\x80\x99s policies also require a PTA if a modification to a system\naffects how the system uses, collects, or stores information. A PTA is a screening tool\ndesigned to assist the CPO in determining what privacy requirements apply to an\ninformation system. There are two parts to the PTA, the first is a questionnaire that is\ncompleted by the system owner that describes the nature and volume of information\ncontained in the system. The second part, which is completed by the CPO, provides for\nthe analysis of the system and the required next steps. A PTA collects the following\ninformation from the system owner in order to assist the CPO in determining what\nprivacy requirements apply to a system:\n\n   \xe2\x80\xa2\t Name of the system and system owners;\n   \xe2\x80\xa2\t Status of the system, why the PTA is being performed;\n   \xe2\x80\xa2\t Does the system contain data fields that collect, maintain, or disseminate\n      information on an individual(s)? If so, document the PII the system contains;\n   \xe2\x80\xa2\t Legal authority that allows FHFA to operate the system and collect the\n      information;\n   \xe2\x80\xa2\t Name of SORN that covers the system, or notification that one does not exist;\n   \xe2\x80\xa2\t Whether the information in the system can be linked with other information to\n      identify an individual;\n   \xe2\x80\xa2\t Nature of individuals the system contains information about;\n\n\n                                                10\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n   \xe2\x80\xa2\t Whether the system collects data from 10 or more members of the public during\n      a calendar year;\n   \xe2\x80\xa2\t The source of the information collected, and if from an individual is a Privacy Act\n      Statement provided to the individual;\n   \xe2\x80\xa2\t Whether the information is retrieved by name of an individual or some identifying\n      number, symbol, or other identifying particular assigned to the individual; and\n   \xe2\x80\xa2\t Whether a Certification and Accreditation has been performed, and if so, the\n      Federal Information Processing Standards (FIPS) Publication (PUB) 199,\n      Standards for Security Categorization of Federal Information and Information\n      Systems, category (discussed below).\n\nBased on the information provided by the system owners, the CPO performs an\nanalysis of the system to determine whether:\n\n    \xe2\x80\xa2\t The system is a PII system;\n    \xe2\x80\xa2\t A new SORN is required for the system; and\n    \xe2\x80\xa2\t A Privacy Act Statement is required.\n\nAs part of the analysis, the CPO assigns a FIPS PUB 199 risk category to the\ninformation contained in the system to the extent it pertains to privacy. FIPS PUB 199\nestablishes security categories for information and information systems based on the\npotential impact on the agency should certain events occur which threaten the\ninformation and information systems needed by the agency. FISMA defines three\nsecurity objectives for information and information systems:\n\nConfidentiality - A loss of confidentiality is the unauthorized disclosure of information.\n\nIntegrity - A loss of integrity is the unauthorized modification or destruction of\ninformation.\n\nAvailability - A loss of availability is the disruption of access to or use of information or\nan information system.\n\nThe possible categories of potential impact are:\n\nLow - The loss of confidentiality, integrity, or availability could be expected to have a\nlimited adverse effect on organizational operations, organizational assets, or individuals.\nFHFA PTAs use the wording, \xe2\x80\x9cThe PII elements cannot be used to identify an individual\nor is normally publicly available.\xe2\x80\x9d\n\nModerate - The loss of confidentiality, integrity, or availability could be expected to have\na serious adverse effect on organizational operations, organizational assets, or\nindividuals. FHFA PTAs use the wording, \xe2\x80\x9cThe PII elements are not normally publicly\navailable, but do not pose a higher risk of subsequent identity theft or personal harm to\nthe individual if released.\xe2\x80\x9d\n\n\n\n                                                11\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nHigh - The loss of confidentiality, integrity, or availability could be expected to have a\nsevere or catastrophic adverse effect on organizational operations, organizational\nassets, or individuals. FHFA PTAs use the wording, \xe2\x80\x9cThe PII elements are sensitive PII\nthat pose a higher risk of subsequent identity theft or personal harm to the individual if\nreleased.\xe2\x80\x9d\n\nBased upon the analysis performed by the CPO as part of a PTA, a decision is made as\nto whether a PIA will be performed. 8 The degree of analysis within the PIA is\ndependent on the importance of the system and the FIPS PUB 199 category assigned\nto the privacy related data in the PTA. OMB Memorandum M-03-22 defines a major\nsystem as a system or project that requires special management attention because of\nits:\n\n      1.\t   Importance to the agency mission;\n      2.\t   High development, operating, and maintenance costs;\n      3.\t   High risk;\n      4.\t   High return; and\n      5.\t   Significant role in the administration of an agency\xe2\x80\x99s programs, finances, property\n            or other resources.\n\nAccording to OMB Memorandum M-03-22, a PIA conducted for a major system should\nreflect extensive analyses of the:\n\n      1.\t   Consequences of collection and flow of information;\n      2.\t   Alternatives to collection and handling as designed;\n      3.\t   Appropriate measure to mitigate risks identified for each alternative; and\n      4.\t   Rationale for the final design choice or business process.\n\nIn addition, OMB Memorandum M-03-22 states that the depth and content of the PIA\nshould be appropriate for the nature of the information to be collected and the size and\ncomplexity of the IT system.\n\nThe PIA documents how the information collected within a system is used and the\nsafeguards in place to protect that information. The system owner completes the PIA\nwith input and approval from the system developer, the Chief Information Security\nOfficer, the Chief Information Officer, and the CPO.\n\nThe Privacy Office also performs periodic examinations of the FHFA offices to assess\ncompliance with privacy policies.\n\nFHFA Privacy Awareness and Training\n\nFHFA\xe2\x80\x99s Privacy Office provides initial new hire and annual refresher privacy training to\nall employees and contractors. The training is delivered through the assigned FHFA\ncomputer and is administered in conjunction with other IT related training. If an\n8\n    See the section above title OMB Memorandum M-03-22 for a discussion of PIAs.\n\n\n                                                   12\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nemployee/contractor has not completed the required privacy training within a\nreasonable period of time, the CPO will have that employee\xe2\x80\x99s/contractor\xe2\x80\x99s access to\nFHFA\xe2\x80\x99s information systems turned off until the training is completed.\n\n\n\n\n                                                13\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nResults of Audit\n\nOverview\n\nSection 522 requires an agency to designate a CPO and implement comprehensive\nprivacy and data protection procedures governing the agency\xe2\x80\x99s collection, use, sharing,\ndisclosure, transfer, storage, and security of information in an identifiable form relating\nto agency employees and the public.\n\nA comprehensive privacy program helps to ensure that risks related to the collection,\nstorage, transmission and destruction of PII are mitigated. A strong privacy program\nalso provides a framework for the agency to consider the implications of business\ndecisions made as they pertain to PII. A privacy program should also help maintain\npublic trust and confidence in an organization, protect the reputation of an organization,\nand protect against legal liability for an organization by providing the necessary\nsafeguards to minimize the risk of unintended disclosure of PII.\n\nCG\xe2\x80\x99s audit included a review of FHFA\xe2\x80\x99s privacy related policies and procedures, the\nstructure and positioning of the Privacy Office\xe2\x80\x99s function within the agency, the\nmonitoring and compliance efforts of the Privacy Office, and FHFA\xe2\x80\x99s network and\nwebsite for privacy vulnerabilities. CG also reviewed the agency\xe2\x80\x99s privacy related\ntraining program. These areas were assessed within the context of the requirements\nand recommendations of Section 522, Section 208 of the E-Government Act of 2002,\nthe Privacy Act of 1974, OMB memoranda M-03-22 and M-07-16, and NIST SP 800-\n122.\n\nWhile FHFA\xe2\x80\x99s privacy program had a number of strengths, such as a policy on the use\nand protection of PII, FHFA did not meet all of the key requirements of Section 522 for\ndeveloping and implementing comprehensive privacy and data protection procedures.\nSpecifically, the audit identified that FHFA had not:\n\n      \xe2\x80\xa2\t Completed a required privacy program baseline report summarizing FHFA\xe2\x80\x99s use\n         of PII;9\n      \xe2\x80\xa2\t Designed the job-specific privacy training program to ensure FHFA employees\n         and contractors are familiar with privacy protection roles and responsibilities;\n      \xe2\x80\xa2\t Established a process for timely publication of required SORNs that describe the\n         existence and character of the system of records before operating systems\n         containing PII;\n      \xe2\x80\xa2\t Prepared PIAs of all systems that contain PII and documented assessments\n         made of agency proposed rules to help ensure protection of PII was adequately\n         considered in the systems development and rulemaking processes; and\n      \xe2\x80\xa2\t Implemented a process for FHFA\xe2\x80\x99s Privacy Office to monitor information systems\n         containing PII after they are placed in production.\n\n\n9\n    Id. at page 4.\n\n\n                                                14\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nFurther, several of the recommendations made in this report relate to privacy practices\nthat have not been incorporated into the Agency\xe2\x80\x99s policies and procedures. Absent\nformalized practices, FHFA cannot ensure consistent program implementation. In\naddition, there may be potential civil and criminal legal ramifications associated with\nnoncompliance with laws if agency employees do not understand their responsibilities\nunder the various privacy laws. FHFA is vulnerable to an increased risk of a breach of\nsensitive data, which may result in personal harm, loss of public trust, legal liability, or\nincreased costs of responding to a breach. Addressing these control deficiencies in\nprivacy and data protection procedures will strengthen FHFA\xe2\x80\x99s privacy program and\ncontribute to ongoing efforts to achieve reasonable assurance of adequate protection of\ninformation in an identifiable form.\n\nCG does not consider the five findings stated in this report to be a significant deficiency\nas defined under FISMA.10 However, CG concluded that collectively, the deficiencies\nare significant in the context of the audit objective as defined for performance audits\nunder GAGAS.\n\nAppendix II (page 32) of this report summarizes the results of testing performed of key\ncriteria selected for evaluation associated with FHFA\xe2\x80\x99s privacy program and its\nimplementation. Our detailed findings are discussed on pages 16-25.\n\n\n\n\n10\n     See page 30 in this report for the definition of significant deficiency under FISMA.\n\n\n                                                        15\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nFinding 1. FHFA Needed to File the Baseline Report with the FHFA-OIG in a\nTimely Manner\n\nFHFA did not file a baseline report required by Section 522 with FHFA-OIG in a timely\nmanner. The Inspector General was sworn in to office on October 12, 2010, and the\nreport was not filed until August 17, 2011. The report was filed after the completion of\naudit field work and was not subject to review by CG.\n\nSection 522 states:\n\n       (a) PRIVACY OFFICER- Each agency shall have a Chief Privacy Officer to\n       assume primary responsibility for privacy and data protection policy, including:\n\n       (c) RECORDING- Each agency shall prepare a written report of its use of\n       information in an identifiable form, along with its privacy and data protection\n       policies and procedures and record it with the Inspector General of the agency to\n       serve as a benchmark for the agency. Each report shall be signed by the agency\n       privacy officer to verify that the agency intends to comply with the procedures in\n       the report. By signing the report the privacy officer also verifies that the agency is\n       only using information in identifiable form as detailed in the report.\n\nFHFA-OIG was established at FHFA in October 2010. The baseline report was not filed\nby the Agency due to the time required to gather the information to prepare the report.\nWithout a baseline report, FHFA lacks assurance of compliance with established\nprivacy policies.\n\nThe baseline report serves as a useful benchmark for the agency\xe2\x80\x99s privacy program.\nWithout proper documentation of the privacy policies and procedures within the FHFA\nbaseline report, users may not be aware of FHFA\xe2\x80\x99s policies and procedures relating to\nthe privacy and data protection of PII, and will not be able to measure actual privacy\nand data protection practices against the agency\xe2\x80\x99s recorded privacy and data protection\npolicies. As a result, employees may rely on undocumented practices that may not be in\naccordance with the appropriate legal or regulatory guidance and employees may\nmishandle PII exposing the agency to a breach or compromise of PII.\n\nWith submission of the baseline report by the Agency, this finding contains no\nrecommendations, and no further action is necessary. However, FHFA-OIG will\nevaluate the baseline report as part of future audits.\n\n\n\n\n                                                16\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nFinding 2. FHFA Needs to Strengthen the Privacy Training Program\n\nAlthough recommended by NIST SP 800-122, FHFA has not documented a privacy training\nplan and implementation. Also, FHFA has not identified employees that would benefit\nfrom additional job-specific or role based training based on increased responsibilities\nrelated to PII, and a specific role based training program has not been developed or\nimplemented. OMB M-07-16 requires privacy related training to be job-specific and\ncommensurate with employee\xe2\x80\x99s responsibilities. In addition, NIST SP 800-122\nspecifies role-based training be provided depending on the roles and functions\ninvolving PII.\n\nA job-specific privacy training program is important for FHFA to implement as violations\nof the Privacy Act and OMB Memorandum M-03-22 with regard to SORNs and PIAs\nwere noted. For example, two systems of records were in place prior to the publication\nof their respective SORNs, and PIAs were not completed for four systems containing PII\n(refer to findings 3 and 4, pages 20 and 22, respectively).\n\nOMB Memorandum M-07-16 states:\n\n       Communications and training related to privacy and security must be job-specific\n       and commensurate with the employee\xe2\x80\x99s responsibilities.\n\n       Additional or advanced training should also be provided commensurate with\n       increased responsibilities or change in duties.\n\n       Fairness requires that managers, supervisors and employees be informed and\n       trained regarding their respective responsibilities relative to safeguarding\n       personally identifiable information and the consequences and accountability for\n       violation of these responsibilities. Consequences should be commensurate with\n       level of responsibility and type of personally identifiable information involved.\n       Supervisors also must be reminded of their responsibility to instruct, train and\n       supervise employees on safeguarding personally identifiable information.\n       Agencies should develop and implement these policies in accordance with the\n       agency's respective existing authorities.\n\nNIST SP 800-122 states:\n\n       An organization should have a training plan and implementation approach, and\n       an organization\xe2\x80\x98s leadership should communicate the seriousness of protecting\n       PII to its staff. Organizational policy should define roles and responsibilities for\n       training; training prerequisites for receiving access to PII; and training periodicity\n       and refresher training requirements. To reduce the possibility that PII will be\n       accessed, used, or disclosed inappropriately, all individuals that have been\n       granted access to PII should receive appropriate training and, where applicable,\n       specific role-based training. Depending on the roles and functions involving PII,\n       important topics to address may include:\n\n\n                                                17\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n\n       \xe2\x80\xa2   The definition of PII\n       \xe2\x80\xa2   Applicable privacy laws, regulations, and policies\n       \xe2\x80\xa2   Restrictions on data collection, storage, and use of PII\n       \xe2\x80\xa2   Roles and responsibilities for using and protecting PII\n       \xe2\x80\xa2   Appropriate disposal of PII\n       \xe2\x80\xa2   Sanctions for misuse of PII\n       \xe2\x80\xa2   Recognition of a security or privacy incident involving PII\n       \xe2\x80\xa2   Retention schedules for PII\n       \xe2\x80\xa2   Roles and responsibilities in responding to PII-related incidents and reporting.\n\nEducation through training develops a common body of knowledge that reflects all of\nthe various specialties and aspects of PII protection. It is used to develop privacy\nprofessionals who are able to implement privacy programs that enable their\norganizations to proactively respond to privacy challenges\n\nAlthough FHFA provides new hire and annual refresher training related to privacy, the\ntraining program does not specifically address the need for additional or advanced\ntraining for those individuals with increased responsibilities related to PII. FHFA has not\ncompleted an analysis of the roles within the agency with increased levels of\nresponsibilities related to PII.\n\nFHFA has documented privacy policies and procedures in its Use and Protection of\nPersonally Identifiable Information Policy. However, a privacy training plan and\nimplementation approach has not been prepared.\n\nTraining programs reinforce the execution of the privacy policies and decrease the risk\nof privacy incidents. Additional or advanced training should be provided to those\nindividuals with increased privacy management responsibilities such as Privacy Office\nemployees and managers who handle PII to remind them to keep in mind privacy\ncontrols when making decisions involving the collection, use, sharing, retention,\ndisclosure, and destruction of PII. Without role based training, individuals may not be\nfully aware of privacy protection requirements specific to the data and records they\nprocess.\n\nPrivacy training is designed to reinforce employees\xe2\x80\x99 understanding of privacy risk\nmanagement processes such as restrictions on data collection, storage, and use of PII.\nWhile FHFA may have effective practices in place based on the institutional knowledge\nof the CPO, absence of a documented training plan and implementation approach may\nlead to inadequate or inconsistent training and a lack of understanding of practices for\nadequate protection of PII. Ultimately, FHFA is vulnerable to an increased risk of a\nbreach of sensitive data, which may result in personal harm, loss of public trust, legal\nliability, or increased costs of responding to a breach.\n\n\n\n\n                                                18\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n\nWe recommend that FHFA\xe2\x80\x99s CPO:\n\nRecommendation #1. Document, disseminate, and implement a privacy training plan\nand implementation approach.\n\nRecommendation #2. Identify those employees that would benefit from additional job\nspecific or role-based privacy training based on increased responsibilities related to PII.\n\nRecommendation #3. Develop and implement targeted role based training for\nemployees whose job functions require additional job specific or role based privacy\ntraining.\n\n\n\n\n                                                19\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nFinding 3. FHFA Needs to Ensure System of Record Notices are Published\nPrior to Systems Being Placed in Operation.\n\nOf the 18 systems of records reviewed, FHFA had two systems, \xe2\x80\x9cmail, contact, phone and\nother lists;\xe2\x80\x9d and \xe2\x80\x9cfreedom of information and privacy act records,\xe2\x80\x9d in place prior to the\npublication of their respective system-specific SORNs. The Agency believed that all records\nwithin the systems were in fact part of one system. However, upon further review it was\ndetermined that the systems were in fact distinct and warranted separate SORNs. While\nFHFA had published a general SORN to cover these types of records, not publishing more\nspecific SORNs prior to creating new systems of records could lead to a violation of the\nPrivacy Act. These systems are end user computer and paper based systems that contain\nPII.\n\nThe Privacy Act of 1974 states:\n\n       A public notice is required to be published:\n\n       For new systems, before the system of records becomes operational; i.e., before any\n       information about individuals is collected,\n\nThe \xe2\x80\x9cmail, contact, phone and other lists\xe2\x80\x9d system was created by the Office of\nCommunications (OC) to track inquiries made by the public. The OC was not aware of\ntheir responsibility to prepare a SORN prior to creating the system.\n\nThe \xe2\x80\x9cfreedom of information and privacy act records\xe2\x80\x9d system was created by the\nprevious Freedom of Information Act (FOIA) officer who concluded that it did not\nconstitute a system of records under the Privacy Act. When the CPO became the FOIA\nOfficer, he determined that it was in fact a system of record and published the required\nSORN.\n\nSince these systems are end user computer and paper based systems, they were not\nsubject to the formal certification and accreditation process that would have identified\nthe need for a SORN. Without a process in place for identification and monitoring of the\ncreation of end user computer and paper based systems, the Agency and the CPO may\nnot be aware that such systems exist.\n\nA SORN is completed during the Requirements Analysis Phase and the Design Phase\nof the system development life cycle process by the respective project manager. This\nnotice describes the system of record and gives the public an opportunity to provide\ntheir views and comments in line with the Privacy Act provisions. The lack of publishing\na SORN prior to a system being operational may lead to individuals not understanding\nthe privacy risks associated with the system, what information is being collected about\nthem, or their rights related to review of the information collected. There are also\npotential civil and criminal legal ramifications related to operating and maintaining\nsystems of records without publishing the required notices.\n\n\n\n\n                                                20\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nWe recommend that FHFA\xe2\x80\x99s CPO:\n\nRecommendation #4. Develop and implement additional training for employees about\nSORN requirements, focusing on the inadvertent creation of systems of records. This\ntraining should stress the legal ramifications potentially associated with creating\nsystems of records prior to publishing a SORN.\n\nRecommendation #5. Strengthen its privacy related procedures to ensure SORNs are\ncompleted prior to systems becoming operational.\n\n\n\n\n                                                21\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nFinding 4. FHFA Needs to Prepare Privacy Impact Assessments of all Systems\nthat Contain PII and Document Assessments Made of Agency Proposed Rules\n\nAlthough required by OMB Memorandum M-03-22, Privacy Impact Assessments (PIA) were\nnot completed by system owners for four systems containing PII. The systems are: Trakker,\nAffordable Housing Program/Community Investment Cash Advance (AHP/CICA), Content\nManagement Interface (CMI), and Office of Conservatorship Operations\xe2\x80\x99 (OCO) Status\nReport Tracking System. OMB Memorandum M-03-22 allows for a simplified PIA utilizing\nchecklists or templates to be performed, but one must still be completed. In addition, the\nPrivacy Office has not documented assessments required by section 522 of proposed\nrules of the Agency as it relates to privacy of information in an identifiable form.\nOMB Memorandum M-03-22 states:\n\n       Privacy Impact Assessment (PIA)- is an analysis of how information is handled:\n       (i) to ensure handling conforms to applicable legal, regulatory, and policy\n       requirements regarding privacy, (ii) to determine the risks and effects of\n       collecting, maintaining and disseminating information in identifiable form in an\n       electronic information system, and (iii) to examine and evaluate protections and\n       alternative processes for handling information to mitigate potential privacy risks.\n\n       The E-Government Act of 2002 (Public Law No. 107-347) requires agencies to\n       conduct a PIA before:\n\n       Developing or procuring IT systems or projects that collect, maintain or\n       disseminate information in identifiable form from or about members of the public.\n\n       The depth and content of the PIA should be appropriate for the nature of the\n       information to be collected and the size and complexity of the IT system.\n\n       Agencies may use a standardized approach (e.g., checklist or template) for PIAs\n       involving simple systems containing routine information and involving limited use\n       and access.\n\nSection 522 states:\n\n       (a) PRIVACY OFFICER- Each agency shall have a Chief Privacy Officer to\n       assume primary responsibility for privacy and data protection policy, including:\n\n       (5) conducting a privacy impact assessment of proposed rules of the Department\n       on the privacy of information in an identifiable form, including the type of\n       personally identifiable information collected and the number of people affected;\n\nAccording to the CPO, he made the decision that a PIA need not be performed by\nsystem owners for the four systems because they only contained one or two pieces of\nPII, usually a name or email address. In addition, the CPO asserted that the reviews of\nAgency proposed rules were conducted on an informal basis between the CPO and\n\n\n                                                22\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nthose developing the proposed rules; however, the assessments were not documented\nand therefore, could not be substantiated.\n\nWithout completing a PIA on a system with PII, the Agency may face a potential loss of\ncontrol, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized\naccess of PII, which may result in personal harm, loss of public trust, legal liability, or\nincreased costs of responding to a breach of PII. In addition, if a privacy impact\nassessment is not performed on proposed rules, FHFA may collect new information or\nchange the way that information is used that would increase the privacy risks to the\nAgency.\n\nWe recommend that FHFA\xe2\x80\x99s CPO:\n\nRecommendation #6. Require the system owners of the following systems with PII to\nprepare a PIA utilizing a template or checklist: Trakker, AHP/CICA, CMI, and OCO Status\nReport Tracking System.\n\nRecommendation #7. Document the privacy impact assessments conducted for\nproposed rules of the Agency as required by Section 522.\n\nRecommendation #8. Establish a process for the completion of template or checklist\nbased PIAs and modify policies and procedures as necessary.\n\n\n\n\n                                                23\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nFinding 5. FHFA Needs to Document, Disseminate, and Implement a\nProcess to Monitor Information Systems Containing PII After being\nPlaced in Production\nFHFA\xe2\x80\x99s Privacy Office has not identified and documented the privacy related security\ncontrols that must be monitored for information systems containing PII that have been\nplaced in the production environment, and how the results of that monitoring should be\ncommunicated to the Privacy Office on an ongoing basis.\n\nSection 522 states:\n\n       (a) PRIVACY OFFICER- Each agency shall have a Chief Privacy Officer to\n       assume primary responsibility for privacy and data protection policy, including:\n\n       (2) assuring that technologies used to collect, use, store, and disclose\n       information in identifiable form allow for continuous auditing of compliance with\n       stated privacy policies and practices governing the collection, use and\n       distribution of information in the operation of the program;\n\n       (7) ensuring that the Department protects information in an identifiable form and\n       information systems from unauthorized access, use, disclosure, disruption,\n       modification, or destruction;\n\nFederal Housing Finance Agency Program Management Procedures in line with NIST\nSP 800-53 Rev. 3 states:\n\n       Continuous Monitoring - (CA-7)\n\n       By regularly reviewing the effectiveness of security controls within FHFA\n       information systems, Program Offices/System Owners are able to quickly detect\n       and respond to new vulnerabilities.\n\nAlthough system tools are implemented for logging, there is no process in place for\nCPO review of the logs, and no documented process for monitoring other privacy\nrelated security controls, therefore monitoring is not fully implemented.\n\nBusiness processes and systems in production from time to time go through changes\nthat may introduce privacy risks. Changes may significantly alter system information\nand may require additional controls to protect any PII they contain. Lack of monitoring of\ninformation systems containing PII after they are placed in production may lead to a\ncompromise or breach of PII especially when conditions of systems change, i.e., a system\nis modified or used for a purpose other than what it was originally designed for.\n\n\n\n\n                                                24\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nWe recommend that that FHFA\xe2\x80\x99s CPO, in coordination with the Chief Information\nSecurity Officer (CISO):\n\nRecommendation #9. Ensure privacy risk is continuously assessed on systems in\nproduction, including when functionalities change or when a major update is done. The\nCPO should document, disseminate (to system owners and the CISO), and implement\npolicies and procedures for continuous monitoring of information systems containing PII\nafter they are placed in production. The policies and procedures at a minimum should:\n\n   a.\t Document the privacy related security controls that are to be monitored to protect\n       information in an identifiable form and information systems from unauthorized\n       access, use, disclosure, disruption, modification, or destruction;\n   b.\t Determine the frequency of the privacy related security controls monitoring and\n       reporting process to the Privacy Office;\n   c.\t Document review of reports generated by the monitoring of the privacy related\n       security controls noted in item b. above; and\n   d.\t If necessary, take action on results of monitoring and document results of action\n       taken.\n\n\n\n\n                                                25\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nAppendix I \xe2\x80\x93 Objective, Scope, and Methodology\n\nObjective\n\nThe objective of this performance audit was to assess FHFA\xe2\x80\x99s privacy program and its\nimplementation, including compliance with the statutory and regulatory requirements\nconcerning the protection of PII. The specific sub-objectives were to determine whether\nFHFA implemented comprehensive privacy and data protection procedures as required\nby the Section 522, as amended and accurately reported on its use of information in an\nidentifiable form, along with its privacy and data protection policies and procedures.\n\nScope\n\nIn assessing FHFA\xe2\x80\x99s compliance with the requirements of Section 522, CG evaluated\nthe following areas:\n\n   \xe2\x80\xa2\t FHFA\xe2\x80\x99s Privacy Policies and Procedures,\n   \xe2\x80\xa2\t FHFA\xe2\x80\x99s Privacy Office,\n   \xe2\x80\xa2\t FHFA\xe2\x80\x99s Privacy Monitoring and Compliance (included evaluation of PIAs and\n      SORNs),\n   \xe2\x80\xa2\t Privacy vulnerability analysis of FHFA\xe2\x80\x99s network and website, and\n   \xe2\x80\xa2\t Privacy Awareness and Training.\n\n   During the audit, CG performed a review of the following documentation provided by\n   the FHFA:\n\n   \xe2\x80\xa2\t   Use and Protection of Personally Identifiable Information Policy,\n   \xe2\x80\xa2\t   Breach Notification Policy and Plan,\n   \xe2\x80\xa2\t   Privacy Threshold Analysis and Privacy Impact Assessment Guide,\n   \xe2\x80\xa2\t   Privacy Office Organizational Chart,\n   \xe2\x80\xa2\t   Chief Privacy Officer Designation,\n   \xe2\x80\xa2\t   Draft SORN Guidance Document,\n   \xe2\x80\xa2\t   Draft Baseline Report,\n   \xe2\x80\xa2\t   FY 2011 Privacy Plan to Reduce PII and SSNs,\n   \xe2\x80\xa2\t   Inventory of IT Systems with Personally Identifiable Information, and\n   \xe2\x80\xa2\t   New Hire Training Program.\n\nMethodology\n\n1.\t Review of FHFA\xe2\x80\x99s Privacy Policies and Procedures\n\nAccording to Section 522, each agency is required to establish and implement\ncomprehensive privacy and data protection procedures governing the agency\xe2\x80\x99s\ncollection, use, sharing, disclosure, transfer, storage, and security of information in an\nidentifiable form relating to the agency employees and the public. Such procedures\n\n\n                                                26\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nshall be consistent with legal and regulatory guidance, including OMB regulations, the\nPrivacy Act of 1974, and Section 208 of the E-Government Act of 2002.\n\nCG performed a thorough review of FHFA\xe2\x80\x99s policy documentation to assess adherence\nto Section 522. CG reviewed FHFA\xe2\x80\x99s baseline privacy documentation. In assessing the\nprivacy policies and procedures, CG determined compliance with federal guidelines\nrelated to privacy and protection of personal identifiable information.\n\n2.\t Review of FHFA\xe2\x80\x99s Privacy Office\n\nSection 522 also requires that each Agency designate a CPO to assume primary\nresponsibility for privacy and data protection policy. CG performed a review of FHFA\xe2\x80\x99s\nPrivacy Office to determine whether the office effectively and efficiently administered\nFHFA\xe2\x80\x99s privacy program. In assessing the Privacy Office, CG reviewed the agency\xe2\x80\x99s\norganization charts/structure and interviewed key privacy officials to determine whether\nthe Agency has identified roles and responsibilities for key privacy officials. In addition,\nCG reviewed the appointment letter and job description for the CPO to determine\noverall roles and responsibilities. CG also interviewed the CPO to determine if he was\nperforming all responsibilities and had sufficient resources to perform his duties. In\naddition, CG determined whether the Privacy Office established processes for ensuring\nagency compliance with Federal and agency privacy policies. CG also determined\nwhether the Privacy Office implemented procedures in identifying and securing\ninformation systems containing PII.\n\n3.\t Review of FHFA\xe2\x80\x99s Privacy Monitoring and Compliance\n\nDuring this audit, CG performed procedures to determine whether the Privacy Office\neffectively and efficiently administers FHFA\xe2\x80\x99s privacy program. To accomplish this\nobjective, CG:\n\n   \xe2\x80\xa2\t Determined whether FHFA identified and maintained a complete inventory of\n      information systems containing PII and systems requiring PIAs and has\n      conducted PIAs for the information systems. The inventory provided lists 26\n      systems noted as containing PII.\n\n   \xe2\x80\xa2\t For a sample of five information systems, CG reviewed the PIAs and determined\n      whether these PIAs have, at a minimum, analyzed and described:\n         o\t What information needs to be collected (e.g., nature and source);\n         o\t Why the information is being collected (e.g., to determine eligibility);\n         o\t Intended use of the information (e.g., to verify data);\n         o\t With whom the information will be shared (e.g., another agency for a\n             specified programmatic purpose);\n         o\t Opportunities individuals have to decline to provide information (e.g.,\n             where providing information is voluntary) or to consent to particular uses\n             of the information (other than required or authorized uses), and how\n             individuals can grant consent; and\n\n\n                                                27\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n           o\t How the information will be secured (e.g., administrative and technological\n              controls).\n\n   \xe2\x80\xa2\t CG reviewed PIAs and related documentation for the following systems:\n        o\t Examiner Workstation,\n        o\t Web-TA,\n        o\t HSPD-12 PIV,\n        o\t e-OPF, and\n        o\t Litigation Support System.\n\n   \xe2\x80\xa2\t In addition, CG performed procedures to determine whether a SORN was\n      required and if required, whether one was published. CG reviewed FHFA\xe2\x80\x99s\n      publication of SORNs in the Federal Register and verified that they contain only\n      information about individuals that was \xe2\x80\x9crelevant and necessary\xe2\x80\x9d to accomplish\n      FHFA\xe2\x80\x99s mission. In addition, CG determined whether SORNs have been\n      updated to reflect the Agency\xe2\x80\x99s current systems of records.\n\n   \xe2\x80\xa2\t Furthermore, consistent with guidance issued by OMB in 2007 related to privacy\n      protection (OMB Memorandum M-07-16), CG reviewed procedures implemented\n      by FHFA to ensure:\n\n           o\t Privacy was adequately protected and FHFA management has\n              implemented breach notification policies;\n           o\t Procedures were in place to reduce the use of SSNs;\n           o\t Policies existed to notify external agencies about privacy breaches; and\n           o\t FHFA has implemented policies for consequences and accountability for\n              privacy violation.\n\n4.\t Privacy Vulnerability Analysis\n\nCG performed a thorough review and analysis of FHFA\xe2\x80\x99s network and its external\nwebsite for privacy vulnerabilities in accordance with Section 522. These privacy\nvulnerabilities include noncompliance with stated practices, policies and procedures as\nwell as risks of inadvertent release of information in an identifiable form from the\nwebsite of the Agency.\n\nIn completing the vulnerability analysis, the first task was to review results from\nvulnerability assessments conducted during FY 2011 to determine the scope of the\nreview and whether any privacy related vulnerabilities were identified as a result of the\nassessments. The objective was to determine whether any vulnerabilities were\nidentified on the FHFA network related to the risk of inadvertent release of information in\nan identifiable form from the Agency\xe2\x80\x99s network.\n\nIn addition, CG gained a thorough understanding of the FHFA\xe2\x80\x99s documented standards\nregarding its system\xe2\x80\x99s handling and tracking of PII. Once the CG team had a thorough\nunderstanding of the agency\xe2\x80\x99s policies as well as its approach to privacy compliance,\n\n\n                                                28\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nthe team worked with the appropriate FHFA personnel to test and document the\napplication of selected privacy related technical controls from NIST SP 800-53 Rev. 3,\nRecommended Security Controls for Federal Information Systems, within FHFA\xe2\x80\x99s\nnetwork. Technical controls tested include but were not limited to:\n\n   \xe2\x80\xa2\t Access Control\n         o\t Access Enforcement \xe2\x80\x93 AC -1\n         o\t Remote Access \xe2\x80\x93 AC-17\n   \xe2\x80\xa2\t Planning\n         o\t Privacy Impact Assessment \xe2\x80\x93 PL-5\n   \xe2\x80\xa2\t System and Communications Protection\n         o\t System and Communication Protection Policy and Procedures \xe2\x80\x93 SC-1\n         o\t Information in Shared Resources - SC-4\n         o\t Boundary Protection - SC-7\n         o\t Transmission Integrity - SC-8\n         o\t Transmission Confidentiality - SC-9\n         o\t Public Access Protections - SC-14\n         o\t Public Key Infrastructure Certificates - SC-17\n   \xe2\x80\xa2\t System and Information Integrity\n         o\t Software and Information Integrity \xe2\x80\x93 SI-7\n\nCG tested to determine if the Agency has implemented encryption on data transmitted\nover the agency\xe2\x80\x99s communication infrastructure with emphasis on encryption of systems\ncontaining privacy data. Our testing enabled us to determine if the information\ntransmitting across the network boundaries is secure and identify any control\nweaknesses with respect to PII.\n\nIn order to conduct the website testing discussed above CG performed procedures to\ndetermine the following for the website:\n\n   \xe2\x80\xa2\t Whether the website was using Secure Socket Layer (SSL) to capture and\n      transfer Privacy Act protected user data;\n   \xe2\x80\xa2\t Whether the appropriate privacy policy and disclosures were posted and\n      available for all visitors and users of the website (CG assessed the web privacy\n      policies to ensure they have implemented the requirements set forth in OMB\n      Memorandum M-03-22, Section III - Privacy Policies on Agency Websites, and\n      FHFA Privacy Policies.);\n   \xe2\x80\xa2\t Whether the website was in compliance with the use of tracking mechanisms;\n   \xe2\x80\xa2\t Ensure that any personal identifiable information was protected; and\n   \xe2\x80\xa2\t Whether FHFA has implemented machine readability technology on its public\n      website, such as Privacy Preferences Project Protocol (P3P).\n\n5.\t Review of FHFA\xe2\x80\x99s Privacy Awareness and Training\n\nDuring this task, CG performed procedures to determine whether the Agency has\nestablished privacy training requirements in accordance with Federal and Agency\n\n\n                                                29\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\nguidance. In addition, CG determined whether FHFA has implemented a training\nprogram regarding role based training for individuals responsible for PII.        CG\ndocumented whether specific user roles have been identified by FHFA that require role-\nbased training.\n\nCG conducted this audit in accordance with GAGAS issued by the Comptroller General\nof the United States. Those standards require that audits be planned and performed to\nobtain sufficient, appropriate evidence to provide a reasonable basis for findings and\nconclusions based on the audit objective. CG believes that the evidence obtained\nprovides a reasonable basis for the findings and conclusions included herein, based on\nthe audit objective.\n\nTo assist in the audit, CG reviewed prior year reports to identify potential risk areas.\nThe prior year reports CG reviewed include the FHFA\xe2\x80\x99s FY 2010 Federal Information\nSecurity Act (FISMA) evaluation11 and FY 2009 independent audit report on privacy and\ndata protection.12 CG also reviewed a Government Accountability Office (GAO) report\non opportunities for improving FHFA\xe2\x80\x99s internal controls and accounting procedures,13\nGAO\xe2\x80\x99s report on opportunities for improving information system controls,14 and GAO\xe2\x80\x99s\nfinancial audit report for FHFA\xe2\x80\x99s FY 2009 and FY 2010 financial statements. 15\nAdditionally, CG reviewed FHFA\xe2\x80\x99s policies, procedures and records and conducted\ninterviews of FHFA employees and contractor personnel.\n\nA significant deficiency under FISMA is a weakness in an agency's overall information\nsystems security program or management control structure, or within one or more\ninformation systems, that significantly restricts the capability of the agency to carry out\nits mission or compromises the security of its information, information systems,\npersonnel, or other resources, operations, or assets. In this context, the risk is great\nenough that the agency head and outside agencies must be notified and immediate or\nnear-immediate corrective action must be taken. As required in FISMA (Section 3544(c)\n(3)), agencies are to report any significant deficiency in policy, procedure, or practice as\na material weakness in reporting under the Federal Managers\xe2\x80\x99 Financial Integrity Act\nand if relating to financial management systems, as an instance of a lack of substantial\ncompliance under the Federal Financial Management Improvement Act.\n\nCG does not consider the deficiencies noted in this report to be a significant deficiency\nunder FISMA. However, CG concluded collectively that the deficiencies are significant\nin context of the audit objective as defined for performance audits under GAGAS.\n\n11\n   Federal Housing Finance Agency Fiscal Year 2010 Independent Auditor\xe2\x80\x99s Federal Information Security\nManagement Act (FISMA) Report, FHFA Audit Report No. 10-A-03-0TIM, September 30, 2010\n12\n   FY 2009 Independent Audit Report on Privacy and Data Protection, Audit Report No. 09-A-01-\nOCAO/OTIM\n13 Management Report: Opportunities for Improvement in the Federal Housing Finance Agency's Internal\nControls and Accounting Procedures, GAO-11-398R, April 29, 2011\n14\n   Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Controls,\nGAO-10-528, April 2010\n15\n   Financial Audit: Federal Housing Finance Agency\xe2\x80\x99s Fiscal Years 2010 and 2009 Financial Statements,\nGAO-11-151, November 2010\n\n\n                                                  30\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\n\nAccording to these standards,16 significance is defined as the relative importance of a\nmatter within the context in which it is being considered, including quantitative and\nqualitative factors. Such factors include the magnitude of the matter in relation to the\nsubject matter, the relevance of the matter, the needs and interests of an objective third\nparty with knowledge of the relevant information, and the impact of the matter to the\naudited program or activity. Professional judgment assists auditors when evaluating the\nsignificance of matters within the context of the audit objectives.\n\n\n\n\n16\n     Paragraph 7.04, Significance in a Performance Audit, GAO-07-731G (07/07), p. 123.\n\n\n                                                    31\n\x0c      CG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n      Appendix II \xe2\x80\x93 Summary of Key Criteria Tested\n\n\n        Policy Requirement                                                                    Audit Conclusion\n1       Sec 522 of the 2005 Appropriations Act\n1.a     Assuring that the use of technologies sustain, and do not erode, privacy              Issue noted. See Recommendation #6 and #8.\n        protections relating to the use, collection, and disclosure of information in an\n        identifiable form\n1.b     Assuring that technologies used to collect, use, store, and disclose information in   Issue noted. See Recommendation #9.\n        identifiable form allow for continuous auditing of compliance with stated privacy\n        policies and practices governing the collection, use and distribution of\n        information in the operation of the program\n1.c     Assuring that personal information contained in Privacy Act systems of records is     Issue noted. See Recommendation #4 and #5.\n        handled in full compliance with fair information practices as defined in the\n        Privacy Act of 1974\n1.d     Evaluating legislative and regulatory proposals involving collection, use, and        No issues noted.\n        disclosure of personal information by the federal government\n1.e     Conducting a privacy impact assessment of proposed rules of the department on         Issue noted. See Recommendation #7.\n        the privacy of information in an identifiable form, including the type of\n        personally identifiable information collected and the number of people affected\n1.f     Preparing a report to Congress on an annual basis on activities of the                No issues noted.\n        Department that affect privacy, including complaints of privacy violations,\n        implementations of section 552a of title 5, 11 United States Code, internal\n        controls and other relevant matters\n1.g     Ensuring that the Department protects information in an identifiable form and         Issue noted. See Recommendation #9.\n        information systems from unauthorized access, use, disclosure, disruption,\n        modification, or destruction\n1.h     Training and educating employees on privacy and data protection policies to           Issue noted. See Recommendation #1, #2, and #3.\n        promote awareness of and compliance with established privacy and data\n        protection policies\n1.i     Each agency shall prepare a written report of its use of information in an            Issue noted. See Finding #1.\n        identifiable form, along with its privacy and data protection policies and\n        procedures and record it with the Inspector General of the agency to serve as a\n        benchmark for the agency\n\n\n\n                                                                             32\n\x0c      CG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n        Policy Requirement                                                                  Audit Conclusion\n2       OMB M-07-16\n2.a     Review and Reduce the volume of PII                                                 No issues noted.\n2.b     Reduce the Use of Social Security Numbers                                           No issues noted.\n2.c     Encrypt all data on mobile computers/devices carrying agency data unless the        No issues noted.\n        data is determined not to be sensitive, in writing, by your Deputy Secretary or a\n        senior-level individual he/she may designate in writing.\n2.d     Allow remote access only with two factor authentication where one of the            No issues noted.\n        factors is provided by a device separate from the computer gaining access\n2.e     Use a \xe2\x80\x9ctime-out\xe2\x80\x9d function for remote access and mobile devices requiring user       No issues noted.\n        re-authentication after thirty minutes of inactivity\n2.f     Log all computer-readable data extracts from databases holding sensitive            No issues noted.\n        information and verify each extract, including whether sensitive data has been\n        erased within 90 days or its use is still required\n2.g     Implement procedures for detecting, reporting and responding to security            No issues noted.\n        incidents\n2.h     Rules and consequences policy                                                       No issues noted.\n3       OMB M-03-22\n3.a     Conduct PIAs for electronic information systems and collections and, in general,    Issue noted. See Recommendation #6 and #8.     PIAs are\n        make them publicly available                                                        publicly available.\n3.b     Post privacy policies on agency websites used by the public                         No issues noted.\n3.c     Translate privacy policies into a standard machine-readable format                  No issues noted.\n3.d     Report annually to OMB on compliance with section 208 of the E-Government           No issues noted.\n        Act\n4       Privacy Act of 1974\n4.a     Publication of SORNs                                                             Issue noted. See recommendation #4 and #5.\n4.b     Identify each system of records which the agency maintains                       No issues noted.\n4.c     Establish reasonable administrative, technical and physical safeguards to assure No issues noted related to administrative and physical\n        that records are disclosed only to those who are authorized to have access       safeguards. Issue noted for technical safeguard monitoring.\n                                                                                         See recommendation #9.\n4.d     Review all agency contracts which provide for the maintenance of systems of No issues noted.\n        records by or on behalf of the agency to assure that language is included which\n        provide that such systems will be maintained in a manner consistent with the Act\n5       NIST 800-122\n\n\n                                                                           33\n\x0c  CG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Privacy Program and Implementation - 2011\n\xef\xbf\xbd\n\n\n      Policy Requirement                                                         Audit Conclusion\n5.a   Impact Level Definitions                                                   No issues noted.\n5.b   Awareness, Training, and Education                                         Issue noted. See Recommendation #1, #2, #3.\n5.c   Security Controls                                                          No issues noted.\n\n\n\n\n                                                                      34\n\x0cAPPENDIX B\nFHFA\xe2\x80\x99s Comments to FHFA-OIG\xe2\x80\x99s Draft Report\n\n\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                  vii\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                             viii\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                              ix\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                              x\n\x0cAPPENDIX C\nFHFA-OIG\xe2\x80\x99s Response to FHFA\xe2\x80\x99s Comments\n\nOn September 26, 2011, FHFA provided a response (Appendix B) to the draft of this report.\nFHFA concurred with all recommendations made and described actions it plans to take or has\ntaken to address the issues identified in the report (Appendix A). Based on FHFA\xe2\x80\x99s response,\nFHFA-OIG considers the actions sufficient to resolve the recommendations. However, the\nrecommendations will remain open until such time as FHFA-OIG determines that agreed upon\ncorrective actions are completed and responsive. See Appendix D of this report for a summary\nof management\xe2\x80\x99s comments on the recommendations.\n\nWith regard to recommendation six, FHFA proposed alternate corrective actions to improve\nupon FHFA\xe2\x80\x99s review of four systems\xe2\x80\x94where PIAs were not completed by the system owners\xe2\x80\x94\nand other similar systems. FHFA-OIG believes the Agency\xe2\x80\x99s actions\xe2\x80\x94which includes updates\nto its Privacy Threshold Analysis and Privacy Impact Guide and PTA form to address \xe2\x80\x9croutine\ndatabase systems\xe2\x80\x9d\xe2\x80\x94meets the intent of the recommendation. Specifically, the PTA form will be\nupdated to include the following elements:\n\n   \xe2\x80\xa2    The system was identified as a routine database systems;\n   \xe2\x80\xa2    The information collected is non-sensitive PII; and\n   \xe2\x80\xa2    The PTA meets the requirements of conducting a PIA on simple systems containing\n        routine information and limited use and access.\n\n\n\n\n       Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                     xi\n\x0cAPPENDIX D\nSummary of Management\xe2\x80\x99s Comments on the Recommendations\n\nThis table presents the management response to the recommendations in FHFA-OIG\xe2\x80\x99s report and\nthe status of the recommendations as of the date of report issuance.\n\n\n Rec.       Corrective Action: Taken           Expected           Monetary      Resolved:a     Open or\n No.                or Planned              Completion Date       Benefits      Yes or No      Closedb\n  1.      FHFA will draft,                    03/31/2012            $0             Yes          Open\n          disseminate, and implement\n          a written Privacy Training\n          and Implementation\n          Approach Plan (Plan).\n  2.      As part of the Plan, FHFA            03/31/2012             $0            Yes         Open\n          will identify those\n          employees or offices that\n          would benefit from\n          additional job specific or\n          role based privacy training\n          based on increased\n          responsibilities related to\n          PII.\n  3.      In conjunction with the              05/31/2012             $0            Yes         Open\n          described plan actions for\n          recommendation 2, FHFA\n          will develop and implement\n          targeted role based training.\n  4.      As part of the Plan, FHFA         Fiscal Year 2012          $0            Yes         Open\n          will develop and implement\n          training for employees on\n          when and why SORNs are\n          required and how to draft\n          them to meet Privacy Act\n          requirements. FHFA\xe2\x80\x99s new\n          employee training\xe2\x80\x94which\n          includes information\n          regarding SORNS\xe2\x80\x94will be\n          updated to place greater\n          emphasis on the\n          requirements of the Privacy\n          Act as it relates to systems\n          of records. The new training\n          will be incorporated into\n          new employee and annual\n          Privacy Awareness training\n          during fiscal year 2012.\n\n        Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                     xii\n\x0cRec.       Corrective Action: Taken           Expected           Monetary      Resolved:a     Open or\nNo.               or Planned               Completion Date       Benefits      Yes or No      Closedb\n 5.      Currently, FHFA has a draft         11/30/2011            $0             Yes          Open\n         document, Procedure on\n         How and When to Draft a\n         Privacy Act System of\n         Records Notice, which\n         addresses when and why\n         SORNs are required and\n         how to draft one to meet\n         Privacy Act requirements.\n         The document will be posted\n         on the FHFA Info Site and\n         will form the basis for\n         training employees on\n         SORNs.\n 6.      FHFA will update its                 01/31/2012             $0            Yes         Open\n         Privacy Threshold Analysis\n         and Privacy Impact\n         Assessment Guide to address\n         how routine database\n         systems containing routine\n         information with limited use\n         and access are analyzed.\n         Further, FHFA will update\n         the PTA form to include a\n         section that clearly identifies\n         those systems that are\n         \xe2\x80\x9croutine database systems.\xe2\x80\x9d\n         The form will require the\n         individual completing the\n         analysis to indicate an\n         analysis was conducted and\n         will include the following\n         elements: the system was\n         identified as a routine\n         database system; the\n         information collected is non-\n         sensitive PII; and the PTA\n         meets the requirements of\n         conducting a PIA on simple\n         systems containing routine\n         information and limited use\n         and access.\n 7.      FHFA will draft agency-              09/28/2012             $0            Yes         Open\n         wide guidance on how and\n         when privacy impact\n         assessments will be\n\n       Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                    xiii\n\x0c    Rec.       Corrective Action: Taken           Expected           Monetary      Resolved:a     Open or\n    No.                or Planned              Completion Date       Benefits      Yes or No      Closedb\n             conducted for proposed rules\n             of the Agency.\n     8.      See response to                      01/31/2012             $0            Yes         Open\n             recommendation 6 above.\n     9.      FHFA\xe2\x80\x99s CPO will work with            09/28/2012             $0            Yes         Open\n             the CISO and system owners\n             to draft and implement\n             written policies and\n             procedures for continuous\n             monitoring of information\n             systems with PII. FHFA\xe2\x80\x94\n             in coordination with all\n             FHFA divisions and\n             offices\xe2\x80\x94will develop an\n             agency-wide process for\n             continuous monitoring of\n             information systems\n             containing PII.\n\na\n Resolved means \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\ncorrective action is consistent with the recommendation; (2) Management does not concur with the recommendation,\nbut alternative action meets the intent of the recommendation; or (3) Management agrees to the FHFA-OIG\nmonetary benefits, a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\nmanagement provides an amount.\nb\n  Once the FHFA-OIG determines that the agreed-upon corrective actions have been completed and are responsive\nto the recommendations, the recommendations can be closed.\n\n\n\n\n           Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                        xiv\n\x0cADDITIONAL INFORMATION AND COPIES\n\n\nFor additional copies of this report:\n\n       \xe2\x80\xa2   Call the Office of Inspector General (OIG) at: 202-408-2544\n\n       \xe2\x80\xa2   Fax your request to: 202-445-2075\n\n       \xe2\x80\xa2   Visit the OIG website at: www.fhfaoig.gov\n\n\n\nTo report alleged fraud, waste, abuse, mismanagement, or any other kind of criminal or\nnoncriminal misconduct relative to FHFA\xe2\x80\x99s programs or operations:\n\n       \xe2\x80\xa2   Call our Hotline at: 1-800-793-7724\n\n       \xe2\x80\xa2   Fax us the complaint directly to: 202-445-2075\n\n       \xe2\x80\xa2   E-mail us at: oighotline@fhfa.gov\n\n       \xe2\x80\xa2   Write to us at: FHFA Office of Inspector General\n                           Attn: Office of Investigation \xe2\x80\x93 Hotline\n                           1625 Eye Street, NW\n                           Washington, DC 20006-4001\n\n\n\n\n      Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-003 \xe2\x80\xa2 September 30, 2011\n                                                   xv\n\x0c"